Suspected Hamas-linked hackers target Israel with new version of SysJoker malware

Hackers possibly linked to the Palestinian militant group Hamas are targeting Israeli critical industry sectors with a new version of the SysJoker backdoor malware, according to cybersecurity researchers.

SysJoker was previously used against Israel’s educational institutions in 2021. However, since then, the hackers have almost entirely rewritten its code and improved the malware’s capabilities.

The new version of SysJoker, discovered in October, is written in the Rust programming language instead of C++. The migration to Rust might be an attempt to make analysis more challenging, according to research by the cybersecurity firm Intezer.

Intezer attributed the malware to a “previously unidentified” advanced persistent threat (APT) group, which it named WildCard, but the company didn’t link it to any specific country. However, a report published by the cybersecurity firm Check Point last week suggests a connection between the updated SysJoker malware and Hamas.

Both companies noted the timing for the arrival of the new version of the backdoor malware, which appeared during the war between Israel and Hamas.

The researchers at Intezer identified Arabic words in the malware code and found connections with the threat actor Gaza Cybergang, which targeted Israel Electric Company in 2016-17.

New York-based Intezer was founded by veterans of the Israeli Defense Forces. Check Point has headquarters in California and Tel Aviv.

SysJoker evolution

The original version of SysJoker was designed to target Windows, macOS, and Linux systems. Intezer said the switch to Rust might “might be an attempt to simplify multi-platform targeting.” Intezer and Check Point analyzed samples that targeted Windows.

As with the previous versions, the hackers disguised the malware as legitimate software. They probably used phishing emails to convince victims to download it, researchers said.

The new backdoor was likely recently used against critical sectors in Israel, such as education, IT infrastructure, and possibly electric power generation, according to Intezer. However, the company didn’t provide specific examples. It is also unclear whether any of the attacks were successful.

According to Intezer, the code written in Rust was intended to look like a legitimate PHP executable. PHP is a scripting language mostly used for web development.

Once inside the system, the malware collects information about the infected computer, including the Windows version, username, and various other data, Check Point said. SysJoker can also download and execute new malware on victim devices, according to research by VMware from the previous year.

Researchers said they believe this threat actor will likely increase its operational tempo to match the current conflict with Israel.